CSCC Technical White Paper Final v6 July 17 2017
Transcript of CSCC Technical White Paper Final v6 July 17 2017
IndustryTechnicalWhitePaper
ABSTRACTOnMay11,2017PresidentTrumpsignedExecutive
Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,tasking
theDepartmentofCommerceandtheDepartmentof
HomelandSecuritytoleadanopenandtransparent
processtoidentifywaystoimprovetheresilienceoftheinternetandcommunicationsecosystemand
reducethethreatsperpetuatedbybotnets,
particularlydistributeddenialofserviceattacks.In
thistechnicalwhitepaper,thecommunicationssectordescribesthebotnetproblemfromtheperspectiveof
internetserviceproviders(ISPs),identifiessome
challengesandopportunities,andthenproposes
severalpreliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,
shouldconsidertomitigatethethreatsassociated
withbotnetsandautomatedattacks.
CommunicationsSectorCoordinatingCouncil
July17,2017
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
TableofContents
ExecutiveSummary.....................................................................................................1
InternetEcosystemandCommunicationsSector.........................................................3
Bots,BotnetsandAssociatedThreats..........................................................................7
CurrentToolsandTechniques...................................................................................14
EmergingSolutions....................................................................................................18
ChallengesandOpportunities...................................................................................21
IndustryRecommendations.......................................................................................29
Conclusion.................................................................................................................31
AppendixA-CyberThreatReports...............................................................................i
AppendixB–ThreatsfromBotnets............................................................................iv
Glossary.....................................................................................................................vi
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
1
ExecutiveSummary
Abotisacodeusedtoseizecontroloveracomputeroradevicetoformanetworkofinfectedmachines,knownasabotnet.Manybotnetsareself-spreadingandself-organizingnetworksof
compromisedmachinesthatcanbeusedtoperformmaliciousactivitiesinacoordinatedway
throughcommandandcontrol(C&C)channels.Whilebotsarenotnew,thegrowing
deploymentofInternetofThings(IoT)devicesamplifiestheircapabilitytocreatealarge-scaleglobalsecuritythreat.
Inrecognitionofthisgrowingglobalthreat,onMay11,2017,PresidentTrumpsignedExecutive
Order13800,StrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure,1taskingtheDepartmentofCommerce(DoC)andtheDepartmentofHomelandSecurity(DHS)to
leadanopenandtransparentprocesstoidentifywaystoimprovetheresilienceoftheinternet
andcommunicationsecosystemandreducethethreatsperpetuatedbybotsandbotnets.
Inthistechnicalwhitepaper,thecommunicationssector,specificallyinternetserviceproviders(ISPs)inthiscontext,seekstoinformthatprocessbydescribingthesharedresponsibilitiesof
keyparticipantsintheinternetecosystemformitigatingthethreatsposedbybotnets.Itisa
fallacytobelievethatanysinglecomponentoftheinternetecosystemhastheabilitytomitigate
thethreatfrombotnetsandotherautomatedsystems.WhileISPs,asinfrastructureownersandoperators,playanimportantroleinthisecosystem,sodothemanufacturersofdevices,
developersofsoftware,systemintegrators,edgeproviders,cloudserviceproviders,andothers.
Itwilltaketheconcertedeffortofallmembersofthisecosystemtoaddressfullythethreats
frombotsandbotnets.
Theinternetecosystemhasbeenworkingcollaborativelytoneutralizethethreatsfrombotsand
botnetsforyears.Inthispaper,theCommunicationsSectorCoordinatingCouncil(CSCC)
identifiesanumberofchallengesofmitigatingbotnets,andopportunitiesforincreasedcollaborationandcooperationamongmembersoftheinternetecosystemtoaddressthe
problemincluding:
• Improvingtheefficiencyoflawenforcementprocesstotakedownbotnets;
1TheWhiteHouseOfficeofthePressSecretary,PresidentialExecutiveOrderonStrengtheningtheCybersecurityofFederalNetworksandCriticalInfrastructure(May11,2017),availableathttps://www.whitehouse.gov/the-press-office/2017/05/11/presidential-executive-order-strengthening-cybersecurity-federal.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
2
• Sharingofactionablecyberthreatinformation;
• Reducingthedependencyupontheuseofnetworkaddresstranslation(NAT)functions;
• Mitigatingbotnettrafficfromforeigncountries;
• Managingend-usernotificationsofmalwareinfections;
• DefendingagainstunsecuredIoTdevices;
• Combattingtheuseoffastfluxdomainnameserver(DNS)bybotnetstohidetheirinfrastructure;and
• Coordinatingnetwork-to-networknetworkmanagement.
AspartofDoCandDHS’sopenandtransparentprocess,theCSCCalsoproposesthefollowing
preliminaryrecommendationsoractionablestepsthatecosystemparticipants,includingISPs,
shouldconsidertomitigatethethreatsassociatedwithbots,botnets,andautomatedattacks:
• Streamlinethelawenforcementprocesstotakedownbotnets;
• EncouragecontinuedmigrationtoIPv6;
• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeetrecipients’needs;
• Networkoperatorsandend-usersshouldincludepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements;
• EncouragetheInternetCorporationforAssignedNamesandNumbers(ICANN),
registries,andregistrarstoadoptthefastfluxmitigationtechniquesrecommendedbytheSecurityandStabilityAdvisoryCommittee(SSAC);
• Improvebotnetdetectionbyencouragingtheadoptionanduseofmachinelearningtechniques;
• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards;
• Ensureend-pointsarerunningup-to-datesoftware;and
• IoTdevicesshouldusenetworkisolationand/ornetworkbasedfilteringtechniquesforanycommunicationstocloud-basedservices.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
3
InternetEcosystemandCommunicationsSector
Theecosystemsupportingtheinternet,includingthemembersofthecommunicationssector
providinginternetaccessservicesiscomplex,diverse,andinter-dependent.Tofullyunderstandthethreatsthatbotnetspose,itisimportanttounderstandtheecosystemandstakeholders’
relationships.Thissectionprovidesasummaryoftheinternetecosystemandexplainshowthe
communicationssectorfitsintothebroaderinternetecosysteminprotectingcriticalinfrastructurefromthreatsfrombotsandbotnets.
InternetEcosystem
Theinternetecosystemisadiverse,highlyintegratedsystemcomprisedofmanystakeholders.
TheInternetSociety(ISOC)describesthebroadinternetecosystemasbeingmadeupofsixprimarycommunitiesasshownbelow.2
2InternetSociety,WhoMakestheInternetWork:TheInternetEcosystem(Feb.3,2014),availableathttp://www.internetsociety.org/who-makes-internet-work-internet-ecosystem(accessedJuly16,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
4
Figure1InternetEcosystem
Source:InternetSociety
Thenetworkoperators,whicharepartofthecommunicationssector,providethe“SharedGlobalServicesandOperations”showninFigure1.Whenviewedsolelyfromthenetwork
perspective,theinternetecosystemlooksmorelikeFigure2.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
5
Figure2NetworkViewofInternetEcosystem
Inthiscontext,theinternetecosystemiscomprisedofmanymachines/devices(e.g.,
smartphones,desktopcomputers,IoTdevices,etc.)thatconnecttonetworkserviceproviders.
Thenetworkserviceprovidersuseacombinationoftransitandpeering3toprovideinternetconnectivitytoservicecreators(e.g.,hosting,ecommerce,socialmedia,enterprises,etc.).
Manyoftheservicecreatorsarecloud-based,meaningthattheyoperateanetworkofmachines
workingtogethertoprovideaservice.Allofthepartsworktogethertoprovidewhatiscommonlyreferredtoastheinternet.
CommunicationsSector
Ownersandoperatorsofcommunicationsinfrastructure(broadcast,cable,satellite,wireless,
andwireline)comprisethecommunicationssector.Thecommunicationssectorisoneofthe16CriticalInfrastructure/KeyResource(CI/KR)sectorsidentifiedintheDHSNationalInfrastructure
ProtectionPlan(NIPP).Thissectorincludesthenetworkoperatorsthatprovideinternetaccess
services.Aspartofapublic/privatepartnershipwithDHS,thecommunicationssectorutilizes
theCommunicationsSectorCoordinationCouncil(CSCC)andtheCommunicationsInformation
3Note:ThereisaglossaryinAppendixBthatprovidesmoreinformationonthetechnicaltermsusedinthisdocument.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
6
SharingandAnalysisCenter(Comm-ISAC)tohelpsecurethecommunicationsnetworksCI/KR
fromharm.
Thecommunicationssectorhasalonghistoryofcooperationwithinitsmembershipandwithfederalgovernmentwithrespecttonationalsecurityandemergencypreparedness.Thishistory
distinguishesthecommunicationssectorfrommostothercriticalsectorsidentifiedinthe
NationalInfrastructureProtectionPlan(NIPP).Thesectorexemplifiescooperationandtrusted
relationshipsthathaveresultedinthedeliveryofcriticalserviceswhenemergenciesanddisastersoccur.Thisstrongbondexistslargelybecauseofthreeorganizationsthathavebeen
createdinresponsetoearlierthreatstothenation’scriticalinfrastructure.
Policy-TheNationalSecurityTelecommunicationsAdvisoryCommittee(NSTAC).The
NSTAC(wwwncs.gov/nstac/nstachtml)wascreatedin1982byExecutiveOrder12382.It
providesahighlysuccessfulexampleofhowindustryhelpsdirectgovernmentdecisionsaround
nationalsecurityandemergencypreparednesscommunications(NS/EP).NSTACiscomprisedofupto30chiefexecutivesfrommajortelecommunicationscompanies,networkservice
providers,andinformationtechnology,finance,andaerospacecompanies.Througha
deliberativeprocess,theyprovidethePresidentwithrecommendationsintendedtoassurevital
telecommunicationslinksthroughanyeventorcrisis,andtohelptheU.S.Governmentmaintainareliable,secure,andresilientnationalcommunicationsposture.KeyareasofNSTACfocus
include:strengtheningnationalsecurity;enhancingcybersecurity;maintainingtheglobal
communicationsinfrastructure;assuringcommunicationsfordisasterresponse;andaddressing
criticalinfrastructureinterdependencies.
Planning-CommunicationsSectorCoordinatingCouncil(CSCC).TheCSCCwascharteredin
2005inorderto:helpcoordinateinitiativestoimprovethephysicalandcybersecurityofsectorassets;easetheflowofinformationwithinthesector,acrosssectorsandwithdesignated
Federalagencies;andaddressissuesrelatedtoresponseandrecoveryfollowinganincidentor
event.Themorethan40membersoftheCSCCbroadlyrepresentthesectorandincludecable
providers,commercialandpublicbroadcasters,informationserviceproviders,satelliteproviders,underseacableproviders,utilitytelecomproviders,serviceintegrators,equipment
vendors,andwirelessandwirelineownersandoperatorsandtheirrespectivetrade
associations.
Operations-NationalCoordinatingCenterforTelecommunications(NCC)
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
7
CommunicationsInformationSharingandAnalysisCenter(Comm-ISAC).In1982,federal
governmentandtelecommunicationsindustryofficialsidentifiedtheneedforajointmechanism
tocoordinatetheinitiationandrestorationofnationalsecurityandemergencypreparednesstelecommunicationsservices.In1984,ExecutiveOrder12472createdtheNCC.This
organization’suniquepartnershipbetweenindustryandgovernmentadvancescollaborationon
operationalissuesona24X7basisandcoordinatesNS/EPresponsesintimesofcrisis.Since
2000,theNCC’sCommunicationsInformationSharingandAnalysisCenter(Comm-ISAC),comprisedof51industrymembercompanies,hasfacilitatedtheexchangeofinformation
amonggovernmentandindustryparticipantsregardingvulnerabilities,threats,intrusions,and
anomaliesaffectingthetelecommunicationsinfrastructure.Industryandgovernmentrepresentativesmeetweeklytosharethreatandincidentinformation.Duringemergencies,
industryandgovernmentrepresentativesinvolvedwiththeresponseeffortsmeetdaily,oreven
morefrequently.
Bots,Botnets,andAssociatedThreatsBot–aprogramthatisinstalledonasysteminordertoenablethatsystemto
automatically(orsemi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).4
Botnet–anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbot
malwareandareremotelycontrolledbythirdpartiesfornefariouspurposes.5
Botsarenotanewphenomenon.Itisimportanttonotethatnotallbotsarebad,andnotallbotnetsareusedfornefariouspurposes.Therearesomegoodbotsinenvironmentslike
gamingandInternetRelayChat(IRC).However,forthepurposesofthispaper,allmentionsof
botsandbotnetswillassumetheyaremaliciousorpotentiallymaliciousinnature.
A“botnet”isanetworkofbotsworkingtogetherwiththecapabilityofactingoninstructions
generatedremotely.Atypicalbotnetmayrangefromafewthousandbotstohundredsof
4FederalCommunicationsCommission(FCC),CommunicationsSecurityReliabilityandInteroperabilityCouncil(CSRIC)III,U.S.Anti-BotCodeofConduct(ABCs)forInternetServiceProviders,(Mar.2012),availableathttps://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC-III-WG7-Final-ReportFinal.pdf(accessedJune20,2017).5Id.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
8
thousandsorevenmillionsofbots.Botsandbotnetsarehighlycustomizableandcanbe
programmedtodomanythings,including:theftofpersonalandothersensitiveinformation,
spam,emailaddressharvesting,distributeddenialofservice(DDoS)attacks,key-logging,hostingillegalcontent,andclickfraud.Thesetypesofcyber-attacksaredescribedingreater
detaillaterinthispaper.
EarlybotsusedIRCtocommunicatetotheirC&Cservers.Overtime,botsandbotnetshave
grownmoresophisticated.Forinstance,botsandbotnetshavebeenmademoreresilientbyincorporatingpeer-to-peer(P2P)architecturesandprotocols;domainnamegenerating
algorithms;hypertexttransferprotocol(HTTP)tospecificuniformresourcelocators(URL)within
legitimatewebsites;sophisticated,hierarchicalC&Cinfrastructures;andencryption.Eachoftheseimprovementshasmadeitmoredifficulttoidentifyandisolatebadtrafficfromlegitimate
networktraffic.
Historically,botsinfecteddesktopcomputersandservers,resultingineventualdetectionand
removalusingantivirussoftware.Incontrast,IoTdevicesoftendonothaveauserinterface(UI);aredesignedtorunautonomously;andareconnectedeitherdirectlyorindirectlytothe
internet.Thesedevicesdonotlendthemselveswelltosometraditionalsecurityprotections.
Theymayconnecttotheinternetwithoutafirewallandareusuallyplacedonthesamelocal
areanetwork(LAN)segmentasotherhighervaluetargets.Theyareunlikelytorunanti-virussoftware.Inaddition,theymaybeconsideredalowsecurityrisksincetheyarelowcostand
onlyprocessseeminglyinnocuousdata.However,IoTdevicesareactuallyenticingtargetsfor
exploitation,asthedevicesprovidecomputingpowerthatcanbeutilizedbybadactors,
typicallyunnoticedbytheowners,andareoften“installandforget”equipment.
LargenetworksofIoTdevicescanbecomecompromisedbybotswhenconnectedtohigh-speed
internetconnections,whichcancausesignificantdamage.TheOctober2016MiraibotnetDDoS
attackagainstDNSproviderDynisoneofthemorerecentexamples.TheMiraibotnetexploitedweaksecurityinmanyIoTdevicesbycontinuouslyscanningtheinternet,lookingformoreIoT
devicesthatwereprotectedbyfactorydefaultorhardcodedusernamesandpasswords.6As
theMiraibotnetdiscoveredvulnerableIoTdevices,itloadeditsmalwareontothedevicesand
begancommunicatingwiththeC&Cserversawaitinginstructions.TheMiraibotnetthenwas
6SymantecSecurityResponse,Mirai:whatyouneedtoknowaboutthebotnetbehindrecentmajorDDoSattacks,SymantecOfficialBlog(Oct.27,2016),availableathttps://www.symantec.com/connect/blogs/mirai-what-you-need-know-about-botnet-behind-recent-major-ddos-attacks(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
9
usedtolaunchalarge-scaleDDoSattackagainstDynbyinstructingeachinfecteddevicetoflood
theDynDNSserverswithahigh-volumeofpacketsusingtheDNSservicedestinationport(user
datagramprotocol(UDP)port53)aswellasfloodingauthoritativeserverswithnumerousrequestsforinvaliddomainnames.7TheattackpreventedanumberofDyn’scustomersfrom
beingabletoaccessdomainnamesservedbyDynDNSduringtheattack.
TheDynattackwasnotanisolatedincident.Thepeakattacksizeincreaseddramaticallyina
shortperiodoftime,risingfrom500Gbpsin2015to800Gbpsin2016.8TheKrebsonSecuritysitewasalsohitbyanattackinSeptember2016,whichreached620Gbps.Infact,theMirai
botnetandotherIoTbotnetswereinexistenceforsometimepriortotheseattacksand
generallyusedforperformingsmallerDDoSattacks.
BotnetThreats
Asdescribedabove,botsandbotnetsarehighlycustomizable,andasaresult,canbe
programmedtodomanybeneficialthingsontheinternet.However,theyareoftenand
increasingly,usedfornefariousactivitiessuchasthetypesofattackslistedbelow.
• DDoSattacks;
• Datatheft;
• Illicitcontentdistribution;
• Bruteforcepasswordguessing;
• Processingtheft;
• Clickfraud;
• Emailspam;and
• Unauthorizedgateway.
Theremainderofthissection,however,willfocusonDDoSattacks.DescriptionsoftheothertypesofattackslistedabovecanbefoundinAppendixB.
7ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017).8ArborNetworks,12thAnnualWorldwideInfrastructureSecurityReport,ArborNetworksSpecialReportVol.XII(2016),atp.21,availableathttps://pages.arbornetworks.com/rs/082-KNA-087/images/12th_Worldwide_Infrastructure_Security_Report.pdf(accessedJune30,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
10
DDoSattacks–ahighlyaprevalentformofattackperpetratedbybotnets–illustratesomeof
themanychallengesofpreventingattacks,aswellasofpreventingbotsfromcompromising
end-points.
DDoSattackscanbebrokenintofourmaincategories:9
• Volumetric;
• Application/resource;
• Stateexhaustion;and
• Controlplane.
VolumetricDDoSattacksconsistofhundredstohundredsofthousandsofbotsfloodingthevictimwithpackets,resultingindenialoftheservicetoothers.Theattackscanbedirect,where
thebotssendthepacketsaddresseddirectlytothevictimeitherwiththeirownsourceIP
addressoraspoofedsourceIPaddress.Indirectattacksleverageatechniqueknownasa
reflectiveamplificationattack,inwhichbotsspoofthesourceIPaddresstobethatoftheintendedattacktarget.10ThebotsthensendrequestpacketstootherservicessuchasDNS,
CharacterGeneratorProtocol(chargen),orSimpleServiceDiscoveryProtocol(SSDP)totrickthe
servicestosendresponsestowardthevictim.Indirectorreflectionattacksareoftencraftedto
causetheservicetosendaresponsethatismuchlargerthanthebot’sinitialrequest,resultinginanamplificationattack.Insomecircumstances,theamplificationscanbethousandsoftimes
greaterthanthebots’initialrequestpackets.
Applicationattackstendtobelowervolumetrafficattacksthanvolumetricattacks.Theyare
characterizedbybotssendinglegitimate-lookingapplication-levelrequeststoasystemtoconsumeresources(e.g.,CPU,diskaccess,databaselookups,etc.)andoverwhelmthesystem,
therebypreventingothersfromaccessingit.
Stateexhaustionattacksleveragethefactthatdeviceslikeservers,firewalls,andintrusiondetectionsystemshavelimitedcapabilitiestotrackthestateofconcurrenttransactions.The
9FCCCSRICIV,RemediationofServer-BasedDDoSAttacksFinalReport,(Sept.2014),availableathttps://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG5_Remediation_of_Server-Based_DDoS_Attacks_Report_Final_(pdf)_V11.pdf(accessedJune20,2017). 10Messaging,MalwareandMobileAnti-AbuseWorkingGroup,M3AAWGIntroductiontoReflectiveDDoSAttacks(May2017),availableathttps://www.m3aawg.org/sites/default/files/m3aawg-reflective-ddos-attack-intro.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
11
botsleveragethislimitationandconsumeallthestatecapabilitiesbyopeningmanyconnections
andnotfullycontinuingthoseconnectionstocompletion.
ControlplaneattacksleveragethelimitationsoftheinternetprotocolssuchastheBorderGatewayProtocol11(BGP),IPv6,12andDNSprotocol.13
AchallengewithalltypesofDDoSattacks--especiallyforISPs--isidentifyingthem.Cyber
criminalsarerapidlydevisingmoresophisticatedbotnets,makingithardertodistinguishbad
trafficfromgoodtraffic.Theearliestformsofbotsoftentransmittedtheirmessagesinclear-text,onwell-knownports,tohard-codedIPaddresses,therebymakingthetrafficbotheasyto
identifyandtoblock.Increasinglybotsmasqueradetheirtrafficasapplication--leveltraffic(e.g.,
theymakeitlooklikeregularwebtrafficorencryptedwebtraffic,usepeer-to-peertechniquestoavoidasinglepointoffailure,oruseVPNstoencryptandtunneltheirtraffictoevade
detection).
TheMiraibotnetattackalsoleveragedthefactthattherearemillionsofIoTdevicesalloverthe
globe,andtheattacktrafficwasgeneratedfromthefarcornersoftheinternet,sourcedatthevictims’locations.Level3ThreatResearchLabsreportedthatitobservedoveramillionIoT
devicesparticipatinginbotnetattacks,andalargepercentagewerelocatedinTaiwan,Brazil,
andColumbia.14ThechallengeforanISPindetectingandblockingthistrafficisthatitdoesnot
originateontheISP’snetworkandmayonlytransitaportionofthenetwork,ifittransitsitatall.Andeveniftherearebotsonthenetworkoriginatingtraffic,thevolumeoftrafficfromthe
botsmaynotbehighenoughtodetectonthenetwork.
Botnetattacktrafficmaylookentirelynormal.Muchofitisreflectiveamplifiedattacks(which
offerthebestbangforthebuck),frequentlyusingwellknowncommonservicessuchasDNS,networktimeprotocol(NTP),andHTTP.
11K.Butler,etal,ASurveyofBGPSecurityIssuesandSolutions,ProceedingsoftheIEEE98,no.1(Jan.2010),atp.100-122(doi:10.1109/jproc.2009.2034031). 12Cisco,IPv6ExtensionHeadersReviewandConsiderations[IPVersion6(IPv6)],(Oct.10,2006),availableathttp://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html(accessedJune30,2017). 13SuranjithAriyapperuma,andChrisMitchell,SecurityvulnerabilitiesinDNSandDNSSec,ProceedingsofProceedingsofTheSecondInternationalConferenceonAvailability,ReliabilityandSecurity,ARES2007,TheInternationalDependabilityConference-BridgingTheoryandPractice,Austria,Vienna,availableathttp://web.mit.edu/6.033/www/papers/dnssec.pdf(accessedJune30,2017). 14Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
12
TherearehundredsofdifferenttypesofattackswithinthefiveDDoSattackcategories.Mirai
itselfhasaboutadozenDDoSattacksprogrammedintoit.Thebotnetspreadbyscanningfor
opentelnetports(transmissioncontrolprotocolport23).Telnetisacleartextprotocolandisextremelyinsecureandshouldnotbeusedovertheinternet,butthisisexactlyhowMiraiwas
spread.DuringtheDynDNSattack,MiraiusedDNS“watertorture,”15whichitproxiedthrough
severalwell-knownopenresolvers(Google8.8.8.8,forexample).Theattackonthe
KrebsonSecurity16websitewasdesignedtoappearlikethegenericroutingencapsulation(GRE)protocol.17Bothattackscouldhavebeenblockedbyupstreaminternettransitproviders.Inthe
caseoftheDynattack,networkserviceprovidersandtheComm-ISACreachedouttoDynto
offerassistance.
TheKrebsonSecurityattackbeingGRE-basedcouldhavebeenblockedbymostISPs.TheDyn
trafficwasproxiedbywell-knownopenresolvers,soratelimitingthattraffictowardstheDyn
IPscouldhavemitigatedmostoftheeffectsofthatattack.Brobot,whichaffectedmanyU.S.
financialsystems,usedHTTPandHTTPSformostofitsattacks.Blockingitwouldrequirecontentexaminationandfiltering,somethingISPsgenerallydonotdoandcannotdoforHTTPS
withoutholdingtheend-user’sprivatekeys.Malicioustrafficthatisencrypted(e.g.,HTTPS)
cannotbefiltered.
Thelatestattacksillustratethesophisticationandscalethatbotnetshaveachieved.Botnetsaredetectable;thechallengeisstoppingthem.Thebestwaytostopthemistopreventtheir
spreadinthefirstplace.Therealchallengefortheinternetecosystemindealingwithbotnet
threatsistheremediationofinfectedend-points.Withouteitherremediatingtheend-pointor
disconnectingtheinfectedend-pointfromtheinternet,thethreatfromtheinfectedend-pointremains.Ensuringthatend-pointsarerunningthelatestsoftwarewiththelatestsecurity
patchesisarecognizedbestpracticeformitigatingthespreadofandthreatsfrommaliciousand
nefariousbots.
15DNSwatertortureisanattacktypewheremanyend-pointssendqueriesforavictim’sdomainwitharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.16See,https://krebsonsecurity.com.17KrebsonSecurity,KrebsOnSecurityHitWithRecordDDoS(Sept.21,2016),availableathttp://krebsonsecurity.com/tag/gre-ddos/(accessedJuly16,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
13
MostBotnetTrafficOriginatesOutsidetheUnitedStates
Thethreatlandscapefrombotnetscontinuestoevolve.Accordingtothreatintelligence
companies,notabletrendsidentifiedinthethreatlandscapein2016arethat:1)insecureIoT
devicesareabigsourceofDDoSattacktraffic;18and2)thevastmajorityoftheattacktraffic
originatesfromoutsidetheUnitedStates.19
In2016,attacksfromIoTdevicesmadeheadlineswiththeMiraibotnetattacksfromimproperly
securedsecuritycamerasandtheirclosed-circuitTV(CCTV)recorders(DVRs).AsnotedbyLevel
3ThreatResearchLabs,manyoftheinsecurecamerasandDVRswerelocatedinTaiwan,Brazil,
andColumbia.20Shodan,21asearchenginethatletstheuserfindspecifictypesofIoTandotherdevicesthatareconnectedandvisibleonthepublicinternet,reports(asofJuly2017)300K+
susceptibleHikvisiondevicesconnecteddirectlytotheinternet,withthevastmajorityofthose
deviceslocatedinBrazil(45,000),India(36,000),China(34,000),Mexico(25,000),andSouth
Korea(20,000).22
Whileattributingtheexactsourceofbotnetattacksisdifficult,itisalmostalwayspossibleto
determinethesourcecountryofthetraffic.Numerousreports23indicatethattheleading
sourcesofattacktrafficareChinaandothercountriesinSoutheastAsia(e.g.,Vietnam,Taiwan,
andThailand).24
Thisisconsistentwithanearlierstudythatshowedastrongcorrelationbetweendevicesused
forbotnetattacksandthecountryinwhichthedevicesreside.Suchdevicesaretypically
runningsoftwarewithoutthelatestsecuritypatches.25Inonestudy,researchersanalyzedsix
18Akamai,StateoftheInternetSecurityQ42016Report(Winter2016),availableathttps://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf(accessedJune20,2017). 19Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017). 20Level3ResearchLabs,AttackofThings!,availableathttp://www.netformation.com/level-3-pov/attack-of-things-2(accessedJune20,2017).21Seeshodan.io(Shodanscanstheinternetindexingdevicesthatrespondtoportscansonport80,8080,443,8443,21,22,23,161,5060,554,andotherwell-knownports).22Shodan,Searchof“Hikvision,”availableathttps://www.shodan.io/search?query=hikvision(accessedJune20,2017).23SeeAppendixAofthispaperfordatafromdifferentthreatreports.24Incapsula.com,GlobalDDoSThreatLandscapeQ12017(Spring2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q1-2017.html(accessedJune20,2017).25HadiAsghari,MichaelCiere,andMichaelJ.G.VanEten,Post-MortemofaZombie:ConfickerCleanupAfterSixYears,InUSENIXTheAdvancedComputingSystemsAssociation,Proceedingsof24thUSENIXSecuritySymposium,Washington,D.C.(Aug.2015),availableathttps://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-asghari.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
14
yearsoflongitudinaldatafromthesink-holeofConficker,oneofthelargestbotnetseverseen,
toassesstheimpactonbotnetmitigationofnationalanti-botnetinitiatives,aimedatgetting
end-userstocleaninfectedend-usermachines.Theyfoundthatpeakinfectionlevelsstronglycorrelatewithsoftwarepiracy.Thisimpliesthatcountrieswithahighernumberofend-users
runningunlicensedcopiesofsoftwaretendtohavehighernumbersofbotsbecausethose
assetshavealowerpercentageofregisteredusersgettingsecuritypatches.
AsimilarpatternwasseenwiththeMiraibotnet,whichexploitedthefactthataclassofIoTdevicesshippedwithwell-known,defaultlogincredentialsthatend-usersrarelychange.
Vulnerabilitieswithatleastoneofthemanufacturerswerereportedasfarbackas2013.26Only
aftertheMiraibotnetattackwasreporteddidthemanufacturerinquestionprovideafirmwareupdatetoaddressthevulnerabilities,and,eventhen,itrequiredmanualinterventionbydevice
end-userstoupdatethefirmware,asthedevicesdidnotsupportanautomatedmannerfor
securelyupdatingtheirsoftware.
CurrentToolsandTechniques
ApplicationofCybersecurityFrameworkagainstBotnets
TheCybersecurityFramework,developedbyNationalInstituteofStandards&Technology(NIST),27isavoluntaryrisk-based“setofindustrystandardsandbestpracticestohelp
organizationsmanagecybersecurityrisks.”TheFrameworkiscomposedoffivefunctionalareas
–1)Identify,2)Detect,3)Protect,4)Respond,and5)Recover.TheleadingISPsusethe
Frameworkaspartoftheiroverallcyberriskmanagementprocessestoaddressthethreatsposedbybotsandbotnetsagainsttheirnetworks.
Identify
IntheFramework,thefirststepisidentifyingbothwhatneedstobeprotectedandwhatarethe
cyberthreats.TheFederalCommunicationsCommission’s(FCC)CommunicationsSecurity,
26DepartmentofHomeland(DHS)SecurityOfficeofCybersecurityandCommunications,VulnerabilityNoteVU#800094-DahuaSecurityDVRscontainmultiplevulnerabilities(Dec.4,2013),availableathttp://www.kb.cert.org/vuls/id/800094(accessedJune20,2017). 27NationalInstituteofStandardsandTechnology,CybersecurityFramework(May25,2017),availableathttps://www.nist.gov/cyberframework(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
15
ReliabilityandInteroperabilityCouncil(CSRIC)IVWorkingGroup4finalreport,Cybersecurity
RiskManagementandBestPractices,providesimplementationguidanceontheuseofthe
Frameworkfornetworkserviceproviders.ISPs,aspartofthecriticalinfrastructure,haveidentifiedthattheyneedtoprotecttheircorenetworksfromcybersecuritythreatssuchasbots
andbotnets.ISPsmayalso,aspartofamanagedsecurityservice,protecttheircustomersfrom
theharmsofcyberthreats.
Inadditiontoidentifyingwhatneedstobeprotected,networkserviceprovidersusetheFrameworkandothertoolstoidentifythethreats.Thefirststepisidentifyingtheattack
surfacesoftheassetstobeprotectedandthenidentifyingtheknownattackvectors.This
informationiscontinuouslysynthesizedwiththreatintelligencedatatoensurecomprehensivecoverageandtoidentify,andultimatelyaddress,newvulnerabilities.Obtaininghigh-quality
cyberthreatdataisoneofthemostimportantaspectsofimplementingandrunningastrong
botnetmitigationprogram.Fortheprogramtobeeffective,nearzerofalsepositivedatais
needed.Falsepositivescangreatlyincreaseanetworkserviceprovider’soperatingcosts,impactitscustomersatisfaction,anddamageitsbrand.AsoutlinedintheCSRICVWorking
Group5reportonCybersecurityInformationSharing,28networkserviceprovidershave
developedaninformationsharingecosystemtobothuseandsharecyberthreatindicator
informationfromanarrayofsources,toidentifybotnetsandtheirassociatedthreats.Includedinthisecosystemaretrustedthird-party(TTP)datafeeds,informationfromDHSincludingits
AutomatedInformationSharing(AIS)system,andinter-sectorinformationsharing.
Detect
AsoutlinedintheFramework,detectionofthreatsandattacksisthenextstepinprotecting
networksfrombotnetattacks.Asdescribedearlier,botnetattackscomeinmanyforms,so
detectingthemrequiresanarrayoftoolsandtechniquestailoredforeachkindofattack.Regardlessofthetypeofbotnetattack,networkserviceprovidersuseacoresetoftechniques,
includingpacketsampling,signatureanalysis,andheuristicorbehavioralanalysis.
Manybotnetsattempttodisguisetheirtrafficasnormalinternettraffic.Thismakesit
particularlydifficulttodetecthighlydistributedbotnetsorlow-volumetrafficbotnets,asthe
28FCCCSRICV,WorkingGroup5:CybersecurityInformationSharing,FinalReport(Mar.15,2017),availableathttps://www.fcc.gov/files/csric5-wg5-finalreport031517pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
16
trafficwillbebelowthealarmthresholdsonanysingleoperator’snetwork.Forexample,during
theMiraiDynDNSwaterboardingattack,theattackersproxiedtheirrequeststhroughwell-
knownopenDNSresolvers.29
Protect
Networkserviceprovidersuseavarietyoftechniquestoprotecttheirnetworksfromattacksandundertakemeasurestohelptheircustomersprotectthemselvesfromattacks.
Networkserviceprovidersusedifferentfilteringtechniquestodirectlyprotecttheirnetwork
infrastructure(e.g.,routers,servers).BotsoftenspoofthesourceIPaddressintheattack
packets.Thisistypicallyseeninnetworkreflectionattacks,butasseeninhighvolumeattackssuchastheMiraibotnetorDynattack,thiscanbeaccomplishedevenwithoutIPspoofing.
Regardless,asabestcommonpractice,most,ifnotall,networkserviceprovidersperform
networkfilteringforspoofedIPaddresses.30
NetworkserviceprovidersalsouseacombinationofotherfilteringtechniquessuchasAccessControlLists(ACLs),trafficpolicing,blackholing,andsinkholingintheirnetworkstofilter
knownbotnettraffic.ThesetechniquescanbeeffectiveforneutralizingtheC&Ctrafficfor
client-serverbotnets.Thisislesseffectiveagainstmoreadvancedbotnetsthatusepeer-to-peerarchitecture,encryption,and/orfastfluxDNStechniquesfortheirC&Cchannel.Fastfluxisa
DNStechniqueusedbybotnetstohidephishingandmalwaredeliverysitesbehindanever-
changingnetworkofcompromisedhostsactingasproxies.
NetworkserviceprovidersalsohavemadelargeinvestmentsinDDoSscrubbingsystemsto“scrub”outDDoSattacksagainsttheirnetworksandtheircustomerswhohavepurchasedDDoS
mitigationservices.DDoSscrubbingsystemsrelyupondivertingthevictim’strafficthroughthe
scrubber“on-demand”tofilteroutattacktrafficfromgoodtraffic,andthenplaceitbackonthe
provider’snetworktosendittoitsoriginaldestination.Networkserviceprovidersuseacombinationofin-housescrubbingsystemsandthird-partyscrubbingsystemsviacontractswith
29ScottHamilton,DynAnalysisSummaryOfFridayOctober21Attack,DynBlog(Oct.26,2016),availableathttp://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/(accessedJune20,2017). 30P.FergusonandD.Senie,NetworkIngressFiltering:DefeatingDenialofServiceAttackswhichemployIPSourceAddressSpoofing,BestCurrentPractice(BCP)38(May2000),availableathttps://tools.ietf.org/html/bcp38(accessedJune20,20170;F.Baker,andP.Savola,IngressFilteringforMultihomedNetworks,BCP84(Mar.2004),availableathttps://tools.ietf.org/html/bcp84(accessedJune20,2017);andMutuallyAgreedNormsforRoutingSecurity(MANRS),Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
17
thirdpartyDDoSmitigationproviders.However,networkserviceprovidersdonothavethe
capacitytoscruballtrafficallofthetime.
Inadditiontoscrubbingtraffic,manyprovidersusetheFlowspec31capabilitiesofBGPtodynamicallyblockeasilyidentifiabletrafficontherouter.Thetrafficisusuallyblockedusingthe
basicfive-tupleofvaluesfoundinIPFIX32(sourceanddestinationIP,sourceanddestination
port,andprotocol).FlowspecisadvantageousinthatBGPupdatescanbemadeandwithdrawn
fairlyquicklyinthenetwork,allowingforfastermitigation.
Networkserviceprovidersalsocanprovidespecifictoolsandservicestotheircustomersto
protectthemselves,includingend-pointanti-virussoftwareandhomegatewayswithintegrated
security.33LargeISPcustomersoperatingstubnetworksoredgeprovidersalsocanuseatechniquetomitigateDDoSattacksknownasAnycast,whichallowsmultiplehostsorend-points
tohavethesameIPaddress.Bygeographicallydistributingthesehosts,themagnitudeofthe
DDoSattackneedstobesignificantlylargertoaccountforthedistributedhostsandsucceedat
disruptingthesiteorservice.AnycastservicescanbedeployedbyedgeprovidersorpurchasedfromDDoSmitigationpartners.
Severalnetworkserviceprovidersalsoofferasuiteofmanagedsecurityservicesincludingbut
notlimitedtotheDDoSscrubbingservicesmentionedabove.Thesecanincludecapabilities
suchasnetworkbasedfirewalls,mobiledevicemanagementservices,threatanalysisandeventdetection,secureVPNconnectivitytothecloud,andwebandemailsecurity.
Respond&Recover
Today,asoutlinedintheCybersecurityFramework,whenanetworkserviceproviderdetects
malicioustrafficfromaboteitheronitsnetworkortowardanend-pointonitsnetwork,it
respondsandrecoversasnecessary.Theresponseconsistsofmitigatingtheimpactfromthe
malicioustraffic,and,ifnecessary,remediatingtheinfectedend-point.
Tomitigatethemalicioustraffic,thenetworkserviceprovidermustfirstdeterminethescopeof
theimpactfromthemalicioustraffic.Formalicioustrafficthatisimpactingitsnetworkorits
31LeonardoSerodio,TrafficDiversionTechniquesforDDoSMitigationusingBGPFlowspec(May2013),availableathttps://nanog.org/sites/default/files/wed.general.trafficdiversion.serodio.10.pdf(accessedJuly7,2017). 32B.Claise,B.Trammell,andP.Aitken,SpecificationoftheIPFlowInformationExport(IPFIX)ProtocolfortheExchangeofFlowInformation,IETFTools(Sept.2013),availableathttps://tools.ietf.org/html/rfc7011(accessedJuly7,2017). 33McAfee,McAfeeWebGateway,availableathttps://www.mcafee.com/us/products/web-gateway.aspx(accessedJuly7,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
18
abilitytodeliverservice,thenetworkserviceproviderwillneedtoworktofilteroutthe
malicioustrafficusingoneofthefilteringtechniques(e.g.,ACL,blackhole,sinkhole,orscrub)
describedearlier.Inaddition,ifthemalicioustrafficisinboundtowarditsnetwork,thenetworkserviceprovidermaycontacttheupstreamnetworkandaskittofilterthetrafficemanating
fromthatnetwork.
Formalicioustrafficthatisdeterminedtobeemanatingfromacustomerend-pointonits
network,thenetworkserviceprovider,asrecommendedinthevoluntaryAnti-BotCodeofConductforInternetServiceProviders(ABCforISPs)34will:
• Detect–identifyanddetectbotnetactivityintheISP’snetworkoronbehalfofenterprisecustomerswhohavepurchasedservicesfromtheISPtodeterminepotential
botinfectionsonend-userdevices;
• Notify–notifyend-users,includingpotentiallybothconsumersandenterprisebusinessclientsofsuspectedbotinfections;
• Remediate–provideinformationtoend-usersabouthowtheycanremediatebotinfectionsand/oractivelyassistenterprisebusinessclientsinremediatingtheimpactsofbotnets;and
• Collaborate–providefeedbackandexperienceslearnedtootherISPs.
EmergingSolutionsTheinternetecosystemiscontinuingtoimproveitsabilitytomitigatetheattacksfrombotnets.Effortsareunderwaytoimprovebothdetectionandmitigationcapabilities.
TechnologicalApproaches.Alargenumberofmalwareusesatechniqueknownasadomain
generationalgorithm(DGA)toperiodicallygeneratealargenumberofdomainnamesthatcan
beusedasrendezvouspointsfortheirC&Cserversinanattempttoobfuscatethebotnet’strueinfrastructure.Currently,securityinvestigatorscanworktoreverseengineertheDGAusedby
eachvariantofmalware.Thereverseengineeringcanbeatime-consumingprocess,andis
oftenanineffectivewhack-a-moleapproach.Toaddressthisissue,industryhasbeeninvestigatinghowtoapplymachinelearningtoautomatetheprocessandworkinreal-timeas
34MessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG),ABCsforISPs,availableathttps://www.m3aawg.org/abcs-for-ISP-code(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
19
themalwareregistersdomainnameswithaninternetregistry.Effortsareunderwayto
commercializeandintegratemachinelearningforbotnetdetectionintonetworkprotection
products.
Newerbotnetsnowoftenuseencryption(e.g.,TLS35)tohidetheirC&Cchannel.TheSecure
SocketsLayerSSLBlacklist(SSBL)project36illustratesthateventhoughthebotnetisusing
encryption,itisstillpossibletodetectthebotnet.Itispossibletoidentifythebot’sC&Ctraffic
byinspectingthemaliciousSSLcertificatestogenerateauniqueSHA-137fingerprintforeachbotnetusingdeeppacketinspection(DPI).Effortsareunderwaytocommercializethisapproach
andintegratethemethodsintonetworkprotectionsystemstoallowforreal-timefingerprinting
andmitigationofbotnets.
Inaddition,researchersaredevelopingtheuseoftarpitsatnetworkscaletoslowthe
propagationofbotnets.38ResearchersareinvestigatinghowtoturnunusedIPaddressspace
intobotnettarpits.39Thebasicideaistorouteallinboundtrafficthatisaddressedtothe
unusedIPaddressestothetarpit.Thetarpithasasetofprogrammedrulesforhowtorespond,andtherebyextendsthetimeittakesforabotnettoworkitswayupthekillchain.40By
extendingthetime,thetargetsoftheattackhavemoretimetodeterminewhatadditional
defensivemeasuresneedtobeputinplacetoneutralizetheattack,ifany.
Inadditiontotarpits,networkprovidershaveundertakeneffortstodeterminehowtoleveragethefeaturesofSoftwareDefinedNetworks(SDNs)tohelpmitigateattacksfrombotnets.SDNs
providethecapabilitytodynamicallycreateoverlaynetworks.Whencombinedwithother
networkpartitioningtechniquesandtechnology,itbecomespossibletodynamicallycreate
virtuallanesforthedifferentIP-basedservices.Withthisapproach,IoTproviderscanworkwithnetworkserviceproviderstocreateend-to-endvirtuallanesfromtheIoTdevicethroughthe
networktothecloud-basedservice.ThisprocessensuresacompromisedIoTdevicecannot
35E.RescorlaandN.Modaugu,DatagramTransportLayerSecurityVersion1.2,IETFTools(Jan.2012),availableathttps://tools.ietf.org/html/rfc6347 (accessedJune20,2017). 36SSLBlacklist,SSLBlacklist,availableathttps://sslbl.abuse.ch/blacklist/(accessedJune20,2017). 37SHA-1–SecureHashAlgorithm1isacryptographichashfunctionthatgeneratesa20bytehashkeyusedbymanysecurityapplicationsandprotocolsincludingTLSandSSLaspartofencryptingdata.38Labrea,TomListonTalksaboutLabrea,availableathttp://labrea.sourceforge.net/Intro-History.html(accessedJuly17,2017). 39Tarpitsaredefensivemeasuresagainstattackswheretheserverpurposelydelaysincomingconnectionstomakespammingandbroadscanninglesseffective.40EricHutchins,MichaelCloppert,andRohanAmin,Intelligence-DrivenComputerNetworkDefenseInformedbyAnalysisofAdversaryCampaignsandIntrusionKillChains,CNDPapers(Nov.21,2010),availableathttp://papers.rohanamin.com/?p=15(accessedJuly7,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
20
communicatewithunauthorizedendpoints.Inotherwords,acompromiseddevicecouldnotbe
usedinaDDoSattackorsendinformationtonon-authorizedhosts.TheNetworkSlicingfeature
in5Gnetworksisagoodexampleofthis,41andsimilarapproachesarebeinginvestigatedforSDN-enabledwirelinenetworks.
CollaborationInitiatives.Severalindustry-ledinitiativesareunderwaytoimproveautomated
cyberthreatinformationsharing.TheCybersecurityInformationSharingAct(CISA),enactedin
2015,andthesubsequentrolloutoftheDHSAutomatedInformationSharing(AIS)capabilityarehelpingtofacilitatemachine-to-machine(M2M)initiatives.
ThereareatleasttwootherautomatedM2Msharinginitiativesthatmaybeusefulin
combattingbotnets.Bothhaveacommongoalofensuringthatthecyberthreatinformationbeingsharedis“actionable”bytherecipient.Theparadigminthepastoftenhasbeenfor
networkstotrytobuildbetterprotectionattheirnetworkingresspoints.Theseinitiativesshare
informationwithneighboringnetworkstomitigatethethreatasclosetothesourceofthe
malicioustrafficaspossible.
TheInternetEngineeringTaskForce(IETF)isdevelopingaprotocolcalledDDOSOpenThreat
Signaling(DOTS)42forthereal-timeexchangeofDDoS-relatedtelemetrybetweenDDoS
mitigationnetworkelements.TheIETFDOTSprotocolisworkingtoimprovethecooperation
betweenDDoSattackvictimsandpartiesthatcanhelpinmitigatingsuchattacks.TheprotocolwillsupportrequestsforDDoSmitigationservicesandstatusupdatesacrossinter-organizational
administrativeboundaries(e.g.,network-to-network).
TheMessagingMalwareMobileAnti-AbuseWorkingGroup(M3AAWG)DDoSspecialinterest
group43membersarecollaboratingonasimilarendeavor.M3AAWGisdevelopinganapplicationprograminterface(API),datastore,andopensourcereferenceimplementationsfor
networkserviceproviderstoshareDDoSthreatindicatorsforthepurposeofidentifyingsources
ofDDoSattacktraffic,butnotformitigatingattacksinrealtime.M3AAWG’sapproachallowsnetworkserviceproviderstosharethesourceIPaddressesfortheinboundIPflowsthattheir
DDoSdetectionsystemsidentifyinananonymousfashionwiththenetworkonwhichtheDDoS
41See5GAmericas,NetworkSlicingfor5GNetworks&Services,availableathttp://www.5gamericas.org/files/3214/7975/0104/5G_Americas_Network_Slicing_11.21_Final.pdf(accessedJuly7,2017).42IETF,DDoSOpenThreatSignaling(dots),availableathttps://datatracker.ietf.org/wg/dots/about/(accessedJune20,2017). 43M3AAWG,M3AAWGIssuesNewPapersExplainingPasswordSecurity,MultifactorAuthentication,EncryptionUseandDDoSSafeguards;AnnouncesLeadershipandCommitteeChairs,PressRelease(Apr.4,2017),availableathttps://www.m3aawg.org/news/rel-leadership-papers-2017-04(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
21
attackoriginated.ThisallowsnetworkoperatorstocleanupthesourcesofDDoSattacktraffic.
BysharingonlythesourceIPaddress,thisapproachiscompatiblewithmostoftheglobal
privacylawswithrespecttothesharingofidentifiableinformation.
ChallengesandOpportunitiesCybersecurityissharedresponsibility.Reducingthethreatsfrombots,botnets,andtheirautomatedattacksrequiresthecooperationandcollaborationbyallmembersoftheinternet
ecosystem.Thissectionidentifiesanumberofareaswherethethreatspresentedbybotsand
botnetscanbereducedwithbettercooperationandcollaborationbymembersoftheinternetecosystem.
BotnetTakedowns
Challenge–Notechniqueismoreeffectivethanlawenforcementactionsthatleadtothearrest
oftheperpetrators.Thisistheonlysolutionthataddressestherootcauseoftheproblem,andnotjustasymptom.Unfortunately,executingabotnettakedownrequiressignificantupfront
forensicanalysisandcarefulcoordinationamongmanystakeholders,oftenacrossinternational
borders.Alimitingfactorintheoverallvelocityofbotnettakedownsisthelackoflaw
enforcementresources.Theotherchallengeisthatmostbotnetsareinternationalinnature,requiringresource-intensiveandtime-consumingcooperationbetweennations.
Opportunity–Additionallawenforcementresourcesandstreamlininginternationalprocesses
wouldaidtheoverallbotnettakedownprocess.
ActionableCyberThreatInformation
Challenge-Networkserviceprovidersmusthavebothaccurateandactionablecyberthreat
informationtobeabletoquicklyneutralizebotnets.Forinformationtobeactionable,thecyber
threatindicatorhastobecorrelatedtoasingleend-point.Manyofthedatafeedsusedandsharedbyenterprisearelong-termIPreputationlistsoflittlevaluetonetworkserviceproviders
thatoperatenetworkswithalargesetofsubscribersthathavedynamicallyassignedIP
addresseswithshortleases.Thismeansthecyberthreatindicatormustbetimelyandeither
includethecurrentIPaddressortheIPaddressandatime-stampofthemaliciousactivity.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
22
ThesameistrueforIPaddressesofthebotnetC&Cservers.C&Cserversoftendonothavea
staticIPaddress.OftentheC&CserversareonsharedhostswhereasingleIPaddressisshared
bymultiplehosts.Inaddition,theC&CserversmayhaveapoolofIPaddressesorsharedhoststhattheyrotatethrough.
Networkserviceprovidersneedasingle,highlyreliable,near-termindicationthatanIPaddress
hasgeneratedmalicioustrafficorhasbeenscannedtoshowexposedvulnerableservices,as
wellasthecompromisedhosts.
Opportunities-Expertsagreethatcyberthreatinformationneedstobetimelyandtargetedto
beeffective.ThecyberinformationsharinginitiativesoftheIETF’sDOTSWorkingGroupand
theM3AAWGDDoSSIGarestepsintherightdirection.DHS’sAIS44alsoprovidesanopportunitytoimproveandenhancethetimelyandtailoredsharingofcyberthreatindicators
tomeetrecipients’needs.
NetworkAddressTranslation
Challenge–WirelineISPsoperatingIPv4networkstypicallyprovidearesidentialsubscriberwithasinglepublicIPv4address.Theresidentialsubscriberoftenusesahomerouterthatincludesa
networkaddresstranslation(NAT)function,whichallowsthemtosharetheironepublicIPv4
addresswithmultipledevicesinthehome.
WhenanISPreceivesinformationaboutaresidentialsubscribersendingmalicioustraffic,thatinformation,atbest,canonlycontaintheIPv4addressassignedtothecustomerandnotthatof
theactualend-pointbehindthehomerouter.TheuseofNATtechnologymakesitdifficultfor
theISPtoidentifythespecificdeviceinthesubscriber’shomethatissendingmalicioustraffic.
Opportunity-IPv6eliminatestheneedtouseNATforIPaddresssharing,aseverydeviceconnectedtotheinternetcanhaveapubliclyroutableIPv6address.Whilenotapanacea,the
eliminationofNATroutersmaymakeiteasiertoidentifyend-devicestransmittingmalicious
trafficundercertaincircumstances,andtofilterthesuspecttrafficappropriately.AsofJune
44DHS,AutomatedIndicatorSharing(AIS),availableathttps://www.dhs.gov/ais(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
23
2017,IPv6adoptionbynetworkproviderswasapproximately19%globally,45and35%and
growingwithintheU.S.
Off-NetTraffic
Challenges-Aswidelydistributedglobalnetworks,mostbotsandtheirC&Cserversareoutside
thenetworkserviceprovider’snetworkandadministrativecontrol.Infact,numerousreports
makeclearthattheoverwhelmingmajorityofbotnettrafficoriginatesoutsidetheU.S.46
Furthermore,inmostcases,onlyasmallportionofanetworkserviceprovider’send-pointsmay
beinfectedbyanysinglebotnet,andtheamountoftrafficgeneratedbythebotnetonthe
networkwillbeminiscule.Thissmallamountoftrafficcanbeverydifficulttodetectasitwill
nottriggermanyofthenetworkmonitoringthresholdsthatanetworkserviceproviderhasinplace.
Opportunity-Toaddressbothofthesechallengesrequirescollaborationamongnetwork
serviceproviders,asoneofthemosteffectivemeasuresistofilterthetrafficasclosetothe
deviceinfectedwiththebot.Anytransitorpeeringagreementsshouldincludelanguagethataddressesavailabilityandscrubbingoftraffictoallowfornetworkoperatorstoaskthe
upstreamprovider(s)tofiltermalicioustraffic.
End-UserNotifications
Challenge-Notifyingandgettingend-userstotakeactioncontinuestobeachallenge.Therearemultiplewaysthatmembersoftheinternetecosystemcannotifyanend-user:47
• Email;
• Telephonecall;
• Postalmail;
45Google,IPv6Adoption(June18,2017),availableathttps://www.google.com/intl/en/ipv6/statistics.html#tab=per-country-ipv6-adoption&tab=per-country-ipv6-adoption(accessedJune20,2017). 46Incapsula.com,GlobalDDoSThreatLandscapeQ42016(Winter2017),availableathttps://www.incapsula.com/ddos-report/ddos-report-q4-2016.html(accessedJune20,2017). 47MichaelGlenn,MalwareNotificationandRemediationToolsandTechniques,CenturyLinkpresentationtoNISTWorkshop:TechnicalAspectsofBotnet(May30,2012),availableathttps://www.nist.gov/sites/default/files/documents/itl/csd/centurylink_malware_notification_and_remediation.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
24
• Textmessage;
• Webbrowsernotification;
• Walledgarden;and
• OtherMethods.48
AstudycommissionedbyM3AAWGtodeterminetheeffectivenessofvariousnotificationand
remediationmethodsshowedthatthetwomosteffectivemethodsareatelephonecalltothedeviceuserandpostalmail.49ThegrowinguseofIoTdevicesinhomespresentsnewchallenges
innotifyingend-users.IoTdevicesoftenhavelimiteduserinterfaces,thusnegatinganumberof
thenotificationmethods(webbrowser,walledgarden,etc.).ThisisfurthercompoundedbythefactthatanISPcanonlynotifyanend-userthat“adevice”intheirhomeisinfected,andcannot
identifythespecificcorrupteddevice.
Opportunities–Variousmeasuresexisttoimprovedeviceidentificationgoingforward.Better
designedIoTdevicesthatadheretoindustrystandardssuchasthosebeingdevelopedbytheOpenConnectivityFoundation(OCF)50isoneavenuetoimprovesecurity.And,asnotedearlier,
networkoperatorsupportforIPv6willaidinboththeidentificationoftheinfecteddevice,as
wellasnotifyingtheuserofthedevice.
FastFluxDNS
Challenge–Theuseoffastflux51bymalwareandbotnetstohidetheirinfrastructurecontinues
togrow.FastfluxisaDNStechniquewherenumerousIPaddressesassociatedwithasingle
domainnameareswappedinandoutwithextremelyhighfrequency.Fastfluxeffectivelyhides
thecomputersorserversthatareperformingthemaliciousattacksfrombeingdetected.FastfluxmakescuttingoffcontactofthebotstotheC&CserversdifficultorimpossiblebyIPaddress
filteringalone.
Opportunity–In2008,theICANNSecurityandStabilityAdvisoryCommittee(SSAC)publishedasecurityadvisorythatmadeanumberofmitigationrecommendationstoaddressfastfluxDNS
48Othermethodsmayincludesocialmediamessage,alerttotheTVviatheset-top-box,directdepositvoicemailmessage,etc.49GeorgiaTechResearchers,DNSChangerRemediationStudy,PresentationtoM3AAWG27thGeneralMeeting,SanFrancisco,CA(Feb.19,2013),availableathttps://www.m3aawg.org/sites/default/files/document/GeorgiaTech_DNSChanger_Study-2013-02-19.pdf(accessedJune20,2017).50SeeOpenConnectivityFoundation,availableathttps://openconnectivity.org/(accessedJune20,2017).51ICANNSecurityandStabilityAdvisoryCommittee(SSAC),SAC025SSACAdvisoryonFastFluxHostingandDNS(Mar.2008),availableathttps://www.icann.org/en/system/files/files/sac-025-en.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
25
techniques.Amongitsfindingsandrecommendations,theSSACencouragedICANN,registries,
andregistrarstoconsiderthefastfluxmitigationpracticesintheadvisory.
Sincethattime,advancementsinmachinelearninghavebeenappliedtodetectingbotnetsusingfastfluxDNStechniques.Advancementsintheapplicationofmachinelearningtodetect
botnetsthataremakingchangestoDNSentriesenablesautomationandintegrationintobotnet
detectionsystems.
InsecureIoTDevices
Challenge–Asdiscussedthroughoutthispaper,thegrowinginstalledbaseofIoTdevicesis
makingsuchdevicesattractivetargetsforcybercriminalstoinfectwithbotcode.Agood
exampleistherecentMiraibotnetattack,inwhichunsecured,internet-connectedIoTsecuritycameraswereinfectedtogenerateamassiveDDoSattack.Thisisnotanewphenomenon;the
problemhasbeenaroundforyears,asforyears,manyconsumer-gradehomeroutersshipped
withknownvulnerabilitiesthathavebeenexploitedtogeneratelarge-scaleDNSamplification
attacks.
Thetypesofknownvulnerabilities52foundinmanyIoTdevicesonthemarkettodayinclude:
• ShippingIoTdeviceswithout-of-datesoftwarecontainingknownvulnerabilitiesandlackingthecapabilityforanautomatedsoftwareupdate;
• Protectiononlybyfactorydefaultorhardcodedusernamesandpasswords;
• Unauthenticatedcommunications;
• Unencryptedcommunications;and
• Lackofmutualauthenticationandauthorization.
InsecureIoTdevicespresentauniquechallengeasoncetheyarecompromiseditisoftenimpossiblefortheend-usertodetectthattheyhavebeencompromisedand,asnotedearlier,it
isdifficultforanetworkserviceprovidertonotifytheend-userthattheirdevicehasbeen
compromised.Evenaftertheend-userisawareofthecompromise,itisoftenimpossibleto
52BroadbandInternetTechnicalAdvisoryGroup(BITAG),InternetofThingsSecurityandPrivacyRecommendations(Nov.2016),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
26
remediatetheproblemduetoeitherthelackofasoftwareupdateand/orlackofautomated
softwareupdates.
Opportunity-IoTdevicescanbebettersecuredthroughtheuseofnetwork/pathisolation.53Network/pathisolationtechniques(VPNs,VLANs,policybasedrouting,networkslicing,etc.)can
beusedtocreateindependentlogicaltrafficpaths.Theseindependentlogicaltrafficpaths
ensuretheIoTtrafficcanonlyreachthedesignatedendpoints.Thishelpstomitigatethe
impactsofanymalicioustrafficthatacompromisedIoTdevicemaysend.
Withtheadvancesinnetworkfunctionvirtualization(NFV)andSDNs,opportunitiesexistforIoT
manufacturerstodesigndevicestousenetwork/pathisolationtechniquesaspartoftheir
service.Additionally,opportunitiesexistfornetworkserviceproviderstooffernetwork/pathisolationasaservicetoIoTprovidersorend-usersfortheirIoTdevices.
AmplificationAttacks
Challenge-AnamplificationattackisatypeofDDoSattackthattakesadvantageofthefactthat
asmallquerysuchasaDNSquerycangenerateamuchlargerresponse.Whencombinedwithsourceaddressspoofing,anattackercandirectalargevolumeofnetworktraffictoatarget
system.TheasymmetricnatureofamplificationattacksmakesitthepreferredchoiceforDDoS
attacks.AmplificationattacksoftenleverageUDPbasedprotocolssuchastheDNSprotocol,
networktimeprotocol(NTP),charactergenerator(CharGEN),andquoteoftheday(QOTD).Approximately15internetprotocolsaresusceptibletoamplificationattacks.54Internet
engineersdevelopedanextensiontotheDNSprotocol,calledDNSSecurity(DNSSEC)toaddress
DNSvulnerabilitytoDNScachepoisoning.Unfortunately,asideeffectofthisfixisthatthe
securityextensiontoDNSmakestheDNSresponsesmuchlargerandhelpstofurtheramplifytheattack.
Theimplementationofsourceaddressvalidation(SAV)55asrecommendedinIETFBCP38/84
preventsamplificationattackswithspoofedsourceaddresses.AlthoughmostlargeU.S.
53Cisco,NetworkVirtualization--PathIsolationDesignGuide(July22,2008),availableathttp://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html(accessedJune20,2017). 54UnitedStatesComputerEmergencyReadinessTeam(US-CERT),UDP-BasedAmplificationAttacks,Alert(TA14-017A)(Nov.4,2016),availableathttps://www.us-cert.gov/ncas/alerts/TA14-017A(accessedJune20,2017). 55SAVhasbeenabestpracticebyISPsforalongtime(seeIETF2267publishedin1998),butduetothedifficultyofimplementingSAVinsomecommercialsituationsitmaynotbefullyimplementedacrossISPs’networks.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
27
networkserviceproviders56haveimplementedsourceaddressvalidation,approximately30%of
theoverallIPaddressspaceisstillspoofable.57
Opportunity-TheuseofIPfilteringorsourceaddressvalidation(SAV)asoutlinedintheIETF’sbestcommonpractices(BCP)38and84forspoofedIPaddressesisaproventechniqueto
mitigateDDoSamplificationattacksusingspoofedsourceaddresses.
TheMutuallyAgreedNormsforRoutingSecurity(MANRS)58isanindustry-ledefforttocodifya
setofsharedvaluesfornetworkoperatorsintoasetofdefinitionsandidealbehaviors.MANRSrecommendstheimplementationofanti-spoofingfilteringtopreventpacketswithincorrect
sourceIPaddressesfromenteringorleavingthenetwork.Todate,over45networkoperators
areparticipatinginMANRS.TheopportunityexiststogetthespoofableaddressspacetonearzerowitheverynetworkoperatorparticipatinginMANRS.
Network-to-NetworkCoordinatedNetworkManagement
Challenge-Althoughnetworkmanagementmaysoundsimpleanddesirable,itisnotwithout
challenges,especiallygiventhenegativeimpactoninternetend-users.Ideallybotnetmitigationswouldbefastanddirectedatthesourceoftheattack.Advancementsinhow
networksarearchitectedusingSDNsandtheuseofautomatedM2Msharingofcyberthreat
indicatorsstarttomakeittechnicallyviablefornetworkoperatorstoautomatethecoordination
oftheirbotnetmitigationsandreducetheresponsetimetowheneitheramaliciousbotisdetectedonanetworkorabotnetisinitiatinganattack.Buttherearechallenges,rangingfrom
technicaltocontractual,andpolicyissues.
Thetechnicalchallengesincludebothdetectionandmitigation.Withoutasourceofground
truthforwhatisandisn’tbotnettraffic,givenbotnettrafficisoftendesignedtolooklikenormalinternettraffic,thereisthepotentialforfalsepositives.Evenwithasourceofgroundtruth,
botnetmitigationmethodswillvaryfromnetworktonetworkduetoinherentdifferencesin
56MANRS,Participants(Mar.6,2015),availableathttps://www.routingmanifesto.org/participants/(accessedJune20,2017). 57CenterforAppliedInternetDataAnalysis,StateofIPSpoofing,availableathttps://spoofer.caida.org/summary.php(accessedJune20,2017). 58MANRS,MutuallyAgreedNormsforRoutingSecurity(MANRS)Document(Sept.8,2016),availableathttp://www.routingmanifesto.org/manrs/(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
28
howthenetworksaredesignedandbuilt,aswellasthedifferencesinservicelevelagreements
betweennetworkserviceprovidersandtheircustomers.
Blindlymitigatingbotnetsthroughtheuseautomationisfraughtwithrisks.Therearemanycaseswhereacommandandcontrolserverisnotownedorcompletelyunderthecontrolofthe
botoperatorsuchas:1)sharedserverDNS,2)sharedIPs,and3)publicwebsites.59Blindly
applyingabotnetmitigationmethodsuchasfilteringtheIPaddresswouldpreventallthe
servicesthatsharetheresource(e.g.,DNS,sharedserver,orservice)frombeingaccessible.Thechallengeisnotlimitedtosharedresources.Withoutfullknowledgeoftheservicelevel
agreementinplacebetweenthenetworkserviceproviderandcustomer,anetworkservice
cannotblindlyfilterthetraffictothatend-point.
Inaddition,withinthetelecom/ISPindustrythereisanemergingtrendtowardtheadoptionof
SDN,whichisstillinitsinfancy,butgenerallydescribestheautomationofmanagementand
orchestrationofnetworkassetsandservices.Typically,thisincludesthecouplingofbigdata
frameworksthatleverageadvancedanalyticsandmachinelearningtoserveasfeedbackloopsfortheseSDN-drivennetworkstopredict,recommend,andprescribeinanefforttoimprove
responsivenessandresilienceoftheirassetsandservices.Suchimplementationsvarywidelyin
termsofcapabilityandmaturityacrossproviders,andinmostcasesreflecthighlyprotected
intellectualpropertythatprovidesauniquelycompetitiveexperienceandofferings.Nevertheless,suchanecosystemcouldbeusedasanattackmitigationstrategy.
DeploymentofSDNandthesetoolsiswellbeyondtheconceptualstages;itisthecomplexity
andcostofglobalimplementationacrosshighlyheterogeneousnetworksthatstandas
obstaclestoproviders’speedinimplementingthem.
Opportunity–Bettercollaborationandcoordinationcanreducethetimethatittakesto
respondtocyberthreats.Asmentionedearlier,industryisdevelopingsolutionssuchastheIETF
DOTS,M3AAWGDDoSSIG’sinformationsharingpilot,andaninformationsharingpilotbeingledbyCTIAthatwillreducetheresponsetimebysharing“actionable”cyberthreatinformation.In
addition,asthreatinformationsharingplatformsmatureintheircapabilities,thiswillaidin
reducingnetworkoperators’responsetime.
59PublicwebsitesincludesiteslikeTwitter,AmazonAWS,GoogleCloud,andRapidshare.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
29
Thekeyforanysuccessfulcoordinatednetworkmanagementagainstbotnetsisclose,trusted
collaborationandcommunicationsbetweenstakeholders.
IndustryRecommendationsThispapersetsforthsomeoftheproblemspresentedbybotsandbotnetsandthechallenges
andopportunitiesfacingtheownersandoperatorsofbroadbandnetworks.Thefollowingsectionfocusesonthepreliminaryrecommendationsthatmaybeactionablebynotonly
networkserviceprovidersbuttheentireinternetecosystemtohelpreducethethreatsfrom
botnetsusingexistingtechnology.ThepreliminaryrecommendationsherearefromtheCSCC’sperspective.Thereisaneedtodiscussbestpracticesandcapabilitiesforallsegmentsofthe
ecosystemincludingsoftwaredevelopersalongwithcloud,hosting,andapplication
infrastructureproviders.
AttackMitigation
• EncouragecontinuedmigrationtoallIPv6.
ThebroaduseofIPv6willallowdevicestohaveauniqueaddressandcanmakeiteasiertotrackdownthesourceofmalicioustrafficundercertaincircumstances.
• Ensurethatsharedcyberthreatinformationisactionableandtailoredtomeettheneedsofrecipients.
Cyberthreatinformationthatissharedbetweeninternetstakeholdersneedstobeactionablebytherecipients.Informationsharingpoolparticipantsshouldtailorthe
informationtheysharewiththeirpeerstobeactionable.
• Includepre-negotiatedprovisionsfortrafficfilteringintransitandpeeringagreements.
Networkserviceoperatorsofallsizes(ISPs,enterprises,governments,educationalinstitutions,etc.)andend-usersshouldensuretheyhaveprovisionsinplacewiththeir
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
30
internettransitprovidersandpeeringnetworkstoprovideforupstreamfilteringand
scrubbingofmalicioustraffic.
• Streamlinethelawenforcementbotnettakedownprocess.
Lawenforcementcanplayakeyroleinneutralizingbotnets.Effortsarenecessaryto
streamlinethelawenforcementprocesstoincreasethespeedandefficacyoflaw
enforcementbotnettakedowns.
• EncourageICANN,registries,andregistrarstoadoptthefastfluxmitigation
techniquesinSAC025SSACAdvisoryonFastFluxHostingandDNS.
TheinternetecosystemshouldencourageICANN,registries,andregistrarstoconsider
andadoptthefastfluxmitigationtechniquesintheSSACadvisory.
• Adaptandapplymachinelearningtothedetectionofbotnets.
Theinternetecosystemshouldmoveawayfrommanuallyreverseengineeringbotnet
domaingenerationalgorithmsandbeginapplyingmachinelearningtoautomatethereal-timedetectionofbotnetsusingfastflux,encryption,andothertechniquestomask
theirinfrastructure.
EndpointPrevention
• Ensureallend-pointsincludingIoTdevicesadheretoindustrydevelopedsecuritystandards.
Multipleindustry-ledeffortsareunderwaytodevelopsecuritystandardsforIoTdevices.IoTdevicemanufacturesandIoTserviceprovidersshouldworktoensureallIoTdevices
adheretotheirrespectiveindustrysecuritystandardsandbestpracticesforIoTsecurity.
• Ensureend-pointsarerunningup-to-datesoftware.
Asthesayinggoes“anounceofpreventionisworthapoundofcure.”Thisappliestoconsumer/customerend-pointsaswell.Ensuringthatallend-points(desktops,mobile,
IoT,etc.)arerunningup-to-datesoftwarewiththelatestsecuritypatchesandupdates
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
31
willhelptremendouslyinreducingthenumberofinfectedandcompromisedend-points
ontheinternet.
• IoTdevicesshouldusenetworkisolationand/ornetwork-basedfilteringtechniquesforanycommunicationstocloud-basedservices.
Networkisolationand/ornetworkbasedfilteringareproventechniquesforreducing
theabilityofarogueinternetend-pointfromdoingharm.60IoTdevicemanufacturers
andIoTserviceprovidersshoulddesigntheirproductsandservicestomakeuseofthese
techniques.
Conclusion
Cybersecurityisasharedresponsibility.Securingtheinternetfromthreatsfrombotnetsrequiresthecollaborationandcooperationofallmembersoftheinternetecosystem,both
domesticallyandinternationally.Thepreliminaryrecommendationsinthispaperrepresentjust
someofthemanywaysthatbotnetthreatsandtheircapacityforharmcanbereducedthrough
broadengagementbythestakeholders.
AbouttheAuthors
MattTooleyistheVicePresidentofBroadbandTechnologyatNCTA–TheInternetand
TelevisionAssociation.HeisamemberoftheCommunicationsSectorCoordinatingCouncil’s
ExecutiveCommittee.Tooleyhasover30yearsofexperienceinthebroadbandindustryin
developinganddeployingbroadbandtechnologyforinternetserviceproviders.
ThispaperincludeskeycontributionsfromAT&T,CenturyLinkandCoxCommunications.
60BITAG,InternetofThings(IoT)SecurityandPrivacyRecommendations(Nov.2016)atSec.6(discussing“Apossibleroleforin-homenetworktechnology”),availableathttp://bitag.org/documents/BITAG_Report_-_Internet_of_Things_(IoT)_Security_and_Privacy_Recommendations.pdf(accessedJune20,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
i
AppendixA-CyberThreatReports
Top10WorstBotnetCountries
Rank Country NumberofBots
1 China 1,375,637
2 India 958,814
3 RussianFederation 569,463
4 Brazil 429,942
5 Vietnam 380,639
6 Iran,IslamicRepublicOf 242,909
7 Argentina 177,701
8 Thailand 173,027
9 Mexico 145,516
10 C?* 141,684
Source:SpamhausasofJune29,2017.https://www.spamhaus.org/statistics/botnet-cc/
*Spamhausreportsthetenthcountryonthislistas“C?.”
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
ii
Top10BotnetTrafficAttackingCountries
Rank Country PercentageofAttackTraffic
1 China 50.8%
2 SouthKorea 10.8%
3 UnitedStates 7.2%
4 Egypt 3.2%
5 HongKong 3.2%
6 Vietnam 2.6%
7 Taiwan 2.4%
8 Thailand 1.6%
9 UnitedKingdom 1.5%
10 Turkey 1.4%
Source:IncapsulaGlobalDDoSThreatLandscapeQ12017.https://www.incapsula.com/ddos-report/ddos-report-q1-2017.html
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
iii
TopCountriesby%ofCountries’IPAddressesParticipatinginDDoSAttacks,Q1-Q4201661
Q12016 Q22016 Q32016 Q42016
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
Country %ofCountriesIPAddresses
SourceIPs SourceIPs SourceIPs SourceIPs
Turkey0.282%
Vietnam0.130%
U.K.0.036%
Russia0.078%
43,400 20,244 44,460 33,211
Brazil0.075%
China0.093%
Brazil0.025%
U.K.0.059%
36,472 306,627 81,276 72,949
China0.035%
Taiwan0.081%
China0.025%
Germany0.042%
115,478 28,546 81,276 49,408
SouthKorea
0.028%Canada
0.026%France
0.025%China
0.014%
31,692 20,601 23,980 46,783
U.S.0.005%
U.S.0.006%
U.S.0.004%
U.S.0.012%
72,598 95,004 59,350 180,652
Sources:
Akamai’sStateoftheInternetSecurityQ42016report.https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf
Wikipedia contributors, "List of countries by IPv4 address allocation," Wikipedia, The Free Encyclopedia,https://en.wikipedia.org/w/index.php?title=List_of_countries_by_IPv4_address_allocation&oldid=776891748 (accessed July 17, 2017).
61ThenumberofsourceIPsparticipatinginDDoSattacksisfromtheAkamaiStateofInternetSecurityReportQ42016report.Thedatahasbeennormalizedforthepercentofacountries’assignedIPv4addressesfromIANAdataatthetimeofthewritingofthispaper.ThepercentagesmayvarysomefromthetimeoftheAkamaireport.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
iv
AppendixB–ThreatsfromBotnets
ClickFraud
Websitesareoftenpaidforbyadvertisers.Advertiserspaybythenumberof“clicks”orvisitsto
theadvertiser’swebsite.Ifawebsiteoradvertisingbrokerisabletogenerateaperceptionthatmanypeoplearevisitinganad,itcompelstheadvertisertopayforeachofthosevisits.One
waytogeneratelotsofclicksistocommandabotnettogeneratethosevisits.
Emailspam,phishingemail,ormalwareemail
Botnetsareoftenusedtooriginateunsolicitedbulkemail,whichmayalsoincludedistributionof
malwareofvarioustypessuchasransomware,linkstophishingsites,andmalwareassociated
withbots.Botnetscanalsobeusedtosendmoremundaneunsolicitedsalespropaganda.
UnauthorizedNetworkGateway
Botswithinaprotectednetworkboundarysuchasanenterprisenetworkcanbecome
unauthorizedgatewaysintotheprotectedboundary,andcanbeusedtogainaccesstootherresources(dataorcomputers)withintheprotectedboundary(akalateralmovement).
DataTheft
Botscanstealdatafrominfecteddevicesthroughmeanssuchasnetworkmonitoring,key
logging,orscrapingdatafrommemoryordisk.Thisisfrequentlyaccomplishedbecausemany
botmemberssitwithinprivateandenterprisenetworksnexttoassetscontainingthevaluable
data.Agreatamountofdatathefttodayisaccomplishedwith“SpearPhishing”62attackswherevalidlookingemailsaresenttoapersonatacompanyandthatemailisusedtostealintellectual
propertyorbankinginformation,ortohostmalware.Atypicalattackmayconsistofthe“bad
guy”sendinganemailtoanadministrativeassistantorotherlowerlevelemployeethatlooks
likeitcamefromaseniorexecutive,wherebythe“executive”isaskingfortheemailrecipienttoresetapasswordbecausean“invoiceneedstobepaid”today.Therecipientwillresetthe
62FederalBureauofInvestigation(FBI),SpearPhishers(Apr.1,2009),availableathttps://archives.fbi.gov/archives/news/stories/2009/april/spearphishing_040109(accessedJuly17,2017).
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
v
passwordusingobfuscatedlinkscontainingmalwareintheemail.Thisallowstheinfectionto
beginandtheinstallationofAPT(AdvancedPersistentThreat)softwareconductsillegal
activities.
IllicitContentDistribution
Botsaresometimesconnectedtopeer-to-peerfilesharingnetworkstohelpstoreanddistributeillegalcontent.
Bruteforcepasswordguessing
Botnetsareusedforbruteforcepasswordguessing.Onemethoduseshighspeedpasswordguessingattemptsusingarandompasswordalgorithm,apassworddictionaryorapredefined
passwordlist.First,bruteforcingcanbeusedbyanindividualbotmemberasarecruitment
methodtoinfectotherdevicesbyscanningforanyassetswithaknownopenexposedportandthenimplementingoneofthebruteforcemethodsexplainedto“guess”thepassword.Second,
itcanbeusedbyabotorbotnettobruteforceanintendedtargetslogincredentialstogain
accesstotheprivilegeordatathecredentialprovides.
ProcessingTheft(e.g.,Bitcoinmining)
Duetothenumberofbotmemberstypicallyseeninbotnets,andtherisingpriceofcrypto
currency(e.g.Bitcoin),botnetsareveryfrequentlyseenbeingusedto“mine”forcoins.TheprocessforminingBitcoinsrequiresthesolvingofverycomplexmathequationswhichwhen
solved,awardtheminerasetnumberofcoins.Inordertobesuccessful,aminerneedsa
tremendousamountofcomputingpowertosolvetheseequationsintheleastamountoftime.
Thisiswhereabotnetcanbeextremelyuseful.Byharnessingthecomputingpowerofalargernumberofbotsand“commanding”thosebotstoactasminers,thebotnetownercanusethe
combinedprocessingofmanybotstomakeBitcoinminingverylucrative.
Botnetshavealsobeenusedtoharnessthecomputingpoweroftheinfecteddevicesinorderto
performBitcoinminingorotheractivitiesforthebenefitofthemaliciousactorsrunningthebotnetandnotthelegitimateownersofthecomputingresources.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
vi
Glossary
AIS–AutomatedIndicatorSharing,TheDepartmentofHomelandSecurity(DHS)operatesafreeservicefortheexchangeofcyberthreatindicators.
Bot–Aprogramthatisinstalledonasysteminordertoenablethatsystemtoautomatically(or
semi-automatically)performataskorsetoftaskstypicallyunderthecommandandcontrolofaremoteadministrator(akabotmasterorbotherder).
Botnet–Anetworkofinternet-connectedend-usercomputingdevicesinfectedwithbotmalware,whichareremotelycontrolledbythirdpartiesfornefariouspurposes
Command&Control(C&C)–Aremotecomputerusedtocoordinatetheactionsofbots.
CTI–CyberThreatIndicatoristheinformationthatisnecessarytodescribeoridentifyan
attributeofacybersecuritythreat.
DDoS–DistributedDenialofServiceattackisanattempttomakeanonlineserviceunavailablebyoverwhelmingitwithtrafficfrommultiplesources.
DNS–DomainNameSystemisthehierarchicaldecentralizednamingsystemforresources
connectedtotheinternet.
DNSWaterTorture–Anattacktypewheremanyend-pointssendqueriesforavictim’sdomain
witharandomstringprependedtothedomainthatoverwhelmsthevictim’sauthoritativeDNSserverandmakingthevictim’sdomaininaccessible.
DOTS–DDoSOpenThreatSignalingisamethodbywhichadeviceorapplicationparticipatingin
DDoSmitigationmaysignalinformationrelatedtocurrentthreathandlingtootherdevicesorapplications.
ICANN–InternetCorporationforAssignedNamesandNumbersisthenonprofitorganization
responsibleforcoordinatingthemaintenanceandprocedurestheinternet’snamespace.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
vii
IRC-InternetRelayChatisaninternetprotocolthatfacilitatescommunicatingintextusinga
client/serverarchitecture.
IoT-InternetofThingsistheumbrellatermtoreferencethetechnologicaldevelopmentin
whichagreatlyincreasingnumberofdevicesareconnectedtooneanotherand/ortothe
Internet.
IPv4–InternetProtocolversion4isthefourthversionoftheInternetProtocol(IP).IPv4isone
ofthecoreprotocolsandstillroutesmostInternettraffictoday.
IPv6–InternetProtocolversion6isthesixthversionoftheInternetProtocol(IP).IPv6isthe
mostrecentversionandwasdevelopedtoaddresstheanticipatedproblemofIPv4address
exhaustion.IPv6isintendedtoreplaceIPv4.
KillChain–IdeaputforthbyLockheedMartintodescribethephasesofatargetedcyber-attack:
1)reconnaissance,2)weaponization,3)delivery,4)exploit,5)installation,6)command&
control,and7)actions.
NAT–NetworkAddressTranslationisamethodforremappingoneIPaddressspaceinto
anotherbymodifyingtheaddressintheIPpacketheaderstoallowmultipleend-pointstoshare
oneaddresswhiletheytransitanetworkrouter.
NetworkServiceProvider–Anetworkserviceprovideroroperatorisanyenterprisethatis
operatinganetworkthathasanassignedautonomoussystemnumber(ASN).
Peering–Peeringisthevoluntaryinterconnectionoftwoseparatednetworksforthepurposeof
exchangingtrafficbetweenusersoneachnetwork.
Peer-to-Peer(P2P)–TraditionallybotnetsclientscommunicatetoaC&Cserverforcommands.P2PbotnetsoperatewithoutaC&Cserverwhereeachbotisbothaclientandaserver.
SoftwareDefinedNetworking(SDN)–Anapproachtocomputernetworkingthatallowsforthe
programmaticcontrolofnetworkbehaviorusingopeninterfacesanddecouplingthepacketforwardingplanefromthecontrolplanetoallowfortheuseofstandardserversandEthernet
switchestoprovidetheroutingfunctioninsteadofspecializedrouters.
CommunicationsSectorCoordinatingCouncil|www.comms-scc.org
viii
SSAC–TheSecurityandStabilityAdvisoryCommitteeadvisestheICANNcommunityandBoard
onmattersrelatingtosecurityandintegrityoftheinternet’snamingandaddressallocationsystems.
Tarpit–Atarpitiscomputerthatpurposelydelaysincomingconnections.Itisadefensive
measuretomakespammingandnetworkscanningslower.Itisanalogoustoatarpitinwhich
animalscangetboggeddownandslowlysinkunderthesurface.
Transit–Internettransitistheserviceofallowingnetworktrafficto“transit”anetworktoreach
anothernetwork.SmallnetworkoperatorsandenterprisesbuyInternettransittogainaccess
theInternet.